Impact
An unauthenticated PHP Object Injection flaw exists in the Moderno WordPress theme for versions lower than 1.43. The vulnerability allows an attacker to supply malicious serialized objects, which the theme deserializes without proper validation. This flaw is a CWE-502 type weakness and can enable execution of arbitrary PHP code, compromising the confidentiality, integrity, and availability of the affected web site.
Affected Systems
The vulnerability affects the WordPress Moderno Theme, developed by park_of_ideas, specifically any release earlier than version 1.43.
Risk and Exploitability
The CVSS score of 9.8 indicates critical severity. Although the EPSS score is not available, the lack of a KEV listing does not diminish the risk; an attacker who can send crafted requests to the theme can exploit the flaw with no authentication. The vulnerable code path is likely reachable via any publicly accessible page that loads the theme, making the attack vector remote and unrestricted.
OpenCVE Enrichment